The story of Damian Green’s porn-clogged computer has several facets, with a surprising number of them related to data protection. Whether it was a breach for former Deputy Commissioner Bob Quick to reveal that there was porn on the computer is hard to say for certain – I think Quick has a journalistic defence in revealing hypocrisy given that the Government is current waging a moralistic war on adult websites, but you are welcome to disagree. The fact that Quick has form for revealing information that he shouldn’t have only adds spice to the mix.
The question of why Green’s other accuser Neil Lewis still has his police notebooks raises more serious questions. Did he keep them without authorisation from the Met? If he did, this could be a criminal offence under Data Protection’s Section 55 for which Lewis would be liable. Did the Met Police fail to recover them properly? This would be a serious breach of the seventh data protection principle, for which the Met should expect to answer. In any case, I have to agree with those who say that public servants should respect confidences even after they leave the service. Sensitive material should never be retained by former officers of any organisation. I know my reaction to the story is clouded by the entertaining spectacle of seeing a politician caught with his pants down, or at least, unzipped. The question of how the story came to light needs to be interrogated.
Green’s use of the Shaggy Defence to claim that he knows nothing about the porn begs more questions. If he didn’t download it, this means that someone else did (none of the Tories defending him seem to claim that it doesn’t exist). Part of Green’s outrage when his office was raided in 2008 was the threat to the sanctity of Parliamentary Privilege and the confidentiality due to his constituents. In the light of this, Green needs to explain how it was possible for someone else to download porn onto his computer. The best case scenario for him is that this was the result of malware, rather than someone else being able to log into his computer without his knowledge. Of course, malware infecting an MP’s computer is a story in itself. Regardless of whether this story should be in the public domain, we can’t be expected to ignore it now. As someone who processes highly sensitive data about his constituents (as well as possibly other sensitive information), at some point Green has to explain who had access to his computer and what they were doing downloading porn. Or he has to admit that it was him.
I don’t know what, if anything, Green is guilty of, but his fellow Tory Nadine Dorries’ spectacular contribution on Saturday doesn’t allow for any ambiguity. The MP for Mid Bedfordshire has a habit of deleting tweets when she (or someone else running her account) realises how stupid they make her look, so I have screengrabbed this one and I reproduce it in full here:
“My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @ just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!”
UPDATE: There’s more:
“All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’
ANOTHER UPDATE: Robert Syms MP is at it as well
As a constituency MP, Dorries will be handling sensitive correspondence on a wide variety of matters, and she has publicly confirmed that access to information is open to a wide variety of people, including interns on exchange programmes. To this, there is no defence. The seventh data protection principle states that a data controller must have in place appropriate technical and organisational security measures to prevent “unauthorised or unlawful processing of personal data, and against accidental loss of or destruction of or damage to personal data“. This means a mix of technical measures like passwords and encryption and organisational measures like ensuring that passwords are not shared or written down. Dorries has confirmed she has authorised password sharing in her office – which is bad enough in itself because it means passwords are spoken aloud or written down, greatly increasing the chance of the password being known to someone nefarious. But worse than that, she says specifically that a wide group of people share her login. There is no way of knowing who has accessed what, because even if the intern has done it, it looks like Nadine was the person responsible.
The only way that Dorries has not admitted a clear breach of Data Protection’s security principle is if she (or whoever wrote the tweet) is lying in order to defend Green, which is quite the stupidest thing I can imagine.
There are several possible breaches here – Quick’s original revelations about Green, Lewis’ retention of his notebooks / the Met’s failure to recover them when he left, Green’s insecure computer equipment and Dorries’ admission of her completely lax security. While Quick and Green’s problems are somewhat murky, Lewis / Met Police and Dorries present much more straightforward issues for the Information Commissioner. Both should be investigated as a matter of urgency.
Given Dorries’ casual admission of the insecure way in which her office operates, a much wider investigation might be required. Elizabeth Denham has put huge resources into investigating the possibility of political use of analytics and big data in an unlawful way, even though it’s hard to imagine anything coming of it. On the other hand, here we have a sitting MP openly admitting that constituents’ data is unsafe – how many more of Dorries’ colleagues operate in a similarly unlawful fashion? I cannot complain to the ICO about these matters, as I am not affected by them. However, the issues are serious, and Wilmslow should step in immediately. A bland press release reminding MPs to process data safely is not good enough; the ICO needs to demonstrate that Data Protection law applies to MPs just as it does to the rest of us.